Google is sending USB security keys to 10,000 users at high risk of cyberattack just days after warning that a Russian state-backed hacking group was targeting more than 14,000 government officials, journalists, activists and national security workers.

The physical security keys must be plugged into a device to authenticate a person’s identity. It is usually combined with another piece of information such as a password in what is known as two-factor authentication (2FA).

Many rely on SMS passcode authentication or authenticator apps to protect their online accounts, but cybersecurity experts say USB security keys provide an extra level of protection that makes it much harder for attackers to conduct phishing attacks.

Attackers can trick targets into sending an SMS code but they must gain physical access to the security key, in addition to knowing the user credentials.

On Thursday Google’s Threat Analysis Group (TAG) warned 14,000 Gmail users “across a wide variety of industries” that Russia’s state-backed hacking group APT28, also known as Fancy Bear, had sent out phishing emails designed to trick high profile people into revealing their passwords.

“[These] warnings indicate targeting not compromise,” said Google’s TAG director Shane Huntley via a Twitter thread on Thursday. “If we are warning you there’s a very high chance we blocked. The increased numbers this month come from a small number of widely targeted campaigns which were blocked.”

The phishing campaign follows a spate of Russia-linked cyberattacks this year, including the SolarWinds hack and ransomware attacks against Colonial Pipeline and meat processor JBS.

The chief of the UK’s National Cyber Security Centre (NCSC) reiterated the threat posed by Russia. During a recent Chatham House event she said cybercriminals based in Russia were behind most of the “devastating” ransomware attacks against the UK.

Google is also encouraging high-risk users to sign up to its Advanced Protection Program (APP), which Google says provides an extra level of security thanks to security keys, detection of unauthorised access to personal account data and personal account data protection. APP is available to all users but is “specifically designed for individuals and organisations at higher risk of targeted online attacks”.

Google’s TAG also advised targeted users to open Word documents in Google Docs or PDFs on Chrome.

Google parent Alphabet ranks third out of 44 companies for application software in a recent cybersecurity thematic scorecard from GlobalData, behind Amazon and Microsoft.

Google security keys a welcome line of defence

Google has been sending the security keys to high-risk users throughout 2021 with partner organisations. It sells its own security key called Titan which is currently out of stock in Google’s online store.

The devices contain cryptographic keys that communicate with a browser and domain during the login process.

“They do not just give out a dynamic code like Google Authenticator would do, but rather they are tying the certificate on the device to the person they are issuing it to,” explained Tom Van de Wiele, principal security consultant at F-Secure. “So now you have a way to id the person, authenticate them and if things go wrong, revoke the access for that individual.”

Google security keys

Google’s Titan security keys. (via Google)

Security experts told Verdict that Google sending out security keys was a welcome move.

“Forcing multi-layered security on Google accounts may sound like a heavy-handed approach to ensure security but it in fact helps protect those users most at risk,” said Jake Moore, cybersecurity specialist at ESET. “Security key entry as a second verification method is by far the best multi-factor authentication but can sometimes be difficult for people to implement, especially for those who aren’t so experienced with authentication.”

Joseph Carson, chief security scientist & advisory CISO at ThycoticCentrify, told Verdict that the more security tools such as USB security keys are integrated into everyday life, the “more we reduce the risks”.

He added: “Security keys just make it a little bit easier, however other methods of authentication will also help reduce the risks such as authenticators apps that reduce the need for password interactions.”

Moore agreed and said that authenticator apps “act as an easier middle ground which are safer than relying on SMS messages”.

However, Tom Jermoluk, CEO of Beyond Identity, said that advanced authenticator apps can be just as secure but without the risk of losing the security key.

“Security keys can be better than some authenticator apps that don’t provide high trust,” he told Verdict. “But authenticator apps that use device-based biometrics and integrated chips for highly secure cryptographic functions are better options as they introduce less user friction and better security.

Since 2017 Google has required the use of 2FA security keys internally and in the first year reported zero work-related account takeovers.

In May this year, Google announced it would enrol all users in its two-step verification (2SV) programme to cut passwords out entirely by using their mobile device to sign in.

Earlier this month, the tech giant said it would enable the service by default for 150 million accounts by the end of the year.

Google recommends registering a backup security key that can be used to recover accounts if a mobile device is lost.

“Businesses must look to move passwords into the background and get additional security controls that enhance the authentication and authorisation experience,” added Carson. “Another method to help reduce the risks is using privileged access security solutions that also help move passwords into the background. Identity is the new perimeter and access is the new security.”